Diseño del proyecto

This section lists a sample netperm-table file. To help you understand this file better, a prodigious amount of comments are included. In addition, a wide variety of options are included so that you can see how the examples used in the chapter would appear when configuring the TIS Toolkit.

#

# Sample netperm configuration table #

# Change YOURNET to be your network IP address

# Change YOURADDRESS to be the IP address of a specific host #

# Example netacl rules: # ---

# if the next 2 lines are uncommented, people can get a login prompt # on the firewall machine through the telnet proxy

# This is okay, but means that anyone who is authorized to connect to the # firewall box through the proxy can get a login prompt on the firewall. # In most circumstances, it is to provide tight controls on who can log in # directly to the firewall.

#netacl-telnetd: permit-hosts 127.0.0.1 -exec /usr/libexec/telnetd #netacl-telnetd: permit-hosts YOURADDRESS -exec /usr/libexec/telnetd #

# This rule says that only telnet sessions through netacl from these two hosts # will be accepted.

netacl-telnetd: permit-hosts 206.116.65.2 206.116.65.3 -exec /usr/libexec/telnetd #

# if the next line is uncommented, the telnet proxy is available #netacl-telnetd: permit-hosts * -exec /usr/local/etc/tn-gw #

# if the next 2 lines are uncommented, people can get a login prompt # on the firewall machine through the rlogin proxy

#netacl-rlogind: permit-hosts 127.0.0.1 -exec /usr/libexec/rlogind -a

#netacl-rlogind: permit-hosts YOURADDRESS 198.6.73.2 -exec /usr/libexec/rlogind -a #

# if the next line is uncommented, the rlogin proxy is available to any host #netacl-rlogind: permit-hosts * -exec /usr/local/etc/rlogin-gw

#

# The next line allows FTP sessions from the specified network(s) to the # firewall system itself.

netacl-ftpd: permit-hosts 206.116.65.* -exec /usr/libexec/ftpd -A -l #

# Uncommenting the next line will turn off FTP and print a message to that # effect whenever someone attempts to access the FTP port.

# netacl-ftpd: permit-hosts 206.116.65.147 -exec /bin/cat /usr/local/etc/noftp.txt #

# to enable finger service uncomment these 2 lines

#netacl-fingerd: permit-hosts YOURNET.* -exec /usr/libexec/fingerd #netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger.txt #

# Example smap rules: # ---

# These rules control the operation of the SMAP and SMAPD applications. smap: userid 6

smap: directory /var/spool/smap smap: timeout 3600

#

# Change this to increase/decrease the maximum message size that will be # permitted.

smap: maxbytes 10000 smap: maxrecip 20

#

# This configuration section is for the SMAPD application #

smapd: executable /usr/local/etc/smapd smapd: sendmail /usr/sbin/sendmail smapd: userid 6

smapd: directory /var/spool/smap smapd: baddir /var/spool/smap/bad smapd: wakeup 900

#

# Example ftp gateway rules: # ---

# These rules control the operation of the FTP proxy #

# Use the following lines to configure the denial, welcome and help messages # for the proxy.

ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt ftp-gw: help-msg /usr/local/etc/ftp-help.txt #

# Use the following lines to use the authentication server ftp-gw: authserver localhost 7777

#

# set the timeout

ftp-gw: timeout 3600

# uncomment the following line if you want internal users to be # able to do FTP with the internet

# ftp-gw: permit-hosts 206.116.65.* #

# the following line logs all get and put requests, and authorizes put # requests.

ftp-gw: permit-hosts 206.116.65.* -log { retr stor } -auth { stor } # uncomment the following line if you want external users to be

# able to do FTP with the internal network using authentication #ftp-gw: permit-hosts * -authall -log { retr stor } #

# Example telnet gateway rules: # ---

tn-gw: denial-msg /usr/local/etc/tn-deny.txt tn-gw: welcome-msg /usr/local/etc/tn-welcome.txt tn-gw: help-msg /usr/local/etc/tn-help.txt tn-gw: timeout 3600

tn-gw: prompt “Enter Command>” #

# the following line permits a telnet only to hosts in the .fonorola.net # domain. All other requests are denied.

#tn-gw: permit-hosts 206.116.65.* -dest *.fonorola.net -dest !* -passok - ➥xok

tn-gw: permit-hosts 206.116.65.* -passok -xok # tn-gw: deny-hosts * -dest 206.116.65.150

# if this line is uncommented incoming traffic is permitted WITH # authentication required

# tn-gw: permit-hosts * -auth

# Example rlogin gateway rules: # ---

#rlogin-gw: permit-hosts YOURNET.* -passok -xok

rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt rlogin-gw: welcome-msg /usr/local/etc/rlogin-welcome.txt rlogin-gw: denydest-msg /usr/local/etc/rlogin-dest.txt #rlogin-gw: help-msg /usr/local/etc/rlogin-help.txt rlogin-gw: timeout 3600

rlogin-gw: prompt “Enter Command>”

rlogin-gw: permit-hosts 206.116.65.* -dest *.fonorola.net -dest !* -passok -xok rlogin-gw: deny-hosts * -dest 206.116.65.150

# if this line is uncommented incoming traffic is permitted WITH # authentication required

#rlogin-gw: permit-hosts * -auth -xok

# Example auth server and client rules # --- authsrv: hosts 127.0.0.1

authsrv: database /usr/local/etc/fw-authdb authsrv: badsleep 1200

authsrv: nobogus true

authsrv: permit-hosts localhost # clients using the auth server *: authserver 127.0.0.1 7777

# X-forwarder rules

tn-gw, rlogin-gw: xforwarder /usr/local/etc/x-gw #

# Plug-gw # ---

# The following rules provide examples on using plug-gw to access other # services, such as POP mail and NNTP.

#

# Uncomment the next line to allow NNTP connections to be routed to an # external news server for news reading.

#

# plug-gw: port 119 YOURNET.* -plug-to NEWS_SERVER_IP #

# Uncomment the next line to allow POP mail connections from the private # network to an external POP mail host.

# plug-gw: port 110 YOURNET.* -plug-to POP_MAIL_HOST_IP #

# HTTP-GW # ---

# This section provides some examples for the http-gw proxy # http-gw: userid www # http-gw: directory /usr/local/secure/www http-gw: timeout 1800 http-gw: default-httpd www.fonorola.net http-gw: default-gopher gopher.fonorola.net http-gw: permit-hosts 206.116.65.* # http-gw: deny-hosts 206.116.65.2 http-gw: deny-hosts unknown